Previously, there was a report highlighting the vulnerability of traffic lights to hacking. It indicated that privacy and security are key issues for critical infrastructure and the energy sector.
Now a new story has unfolded: millions of smart meters (network-connected electricity meters) used in Spain can be hacked due to lack of essential security implementations. According to the study conducted by a pair of security researchers and presented at Black Hat Europe this week, this particular vulnerability puts millions of homes at risk.
The meters were discovered to be rolled out by a Spanish utility company to track usage. The researchers discovered the meters could be cracked and spoof messages on how much energy is being used can be sent back to the company.
“We took them apart to see how they work,” said Javier Vidal, independent researcher, according to the BBC. “We suspected there could be some issues with them and we wanted to check. We feared the security would be easy to break and we confirmed that.”
Vidal and fellow researcher Alberto Illera discovered encryption keys inside the firmware of the device which could be used in conjunction with the meter’s unique identifier to spoof messages sent from the meter to the utility firm.
In addition to under-reporting energy usage, the flaw could also be utilized to make someone a victim to pay your bill and it’s said the pair could shut off power to specific locations by using this vulnerability.
This was made possible by the memory chip of smart meters, which contain flawed code that can be exploited to remotely shut down power supplies to individual houses, as well as transfer meter readings to other customers, tamper readings, and insert network worms that are capable of causing widespread blackouts.
The findings are similar to the work done by Greg Jones, a security investigator in the United Kingdom, who found shared IDs, inadequate tampering protection, and data that can be duplicated with ease, and he wasn’t surprised with the latest findings.
“I’m pretty sure that anyone who picked up one of these units would find similar problems,” he stated. “If you physically own a piece of hardware you can compromise it.”
The researchers stated they could take total control of the meter box, and also switch its unique ID to impersonate other boxes or transform the meter into a weapon for launching attacks against the power network.
“Oh wait? We can do this? We were really scared,” said Vazquez Vidal, another security expert involved in the smart meter research. “We started thinking about the impact this could have. What happens if someone wants to attack an entire country?”
There have been eight million smart meters installed in over 30 percent of households in Spain. There are three major utility firms dealing in this product: E.ON, Iberdrola and Endesa; the researchers haven’t disclosed the manufacturer whose smart meter was vulnerable at this time.
The pair isn’t worried that cybercriminals may knock out power grids, as they are far more interested in monetary endeavors by using programming skills. Terror attacks aren’t thought to pose a threat that is enough to bring down power grids, yet, but it won’t be long until instances like these start occurring, especially with such vulnerabilities.